Upgrading this release from a release not yet based on Android 17 requires using the standard over-the-air update system rather than ADB sideload. For users who only update via ADB sideload, we'll be releasing a special Android 16 QPR2 release with a backported fix for the upstream Android bug causing the issue. This bug also exists in the Pixel OS for both Android 16 QPR3 and Android 17 too but it bypasses it through being bloated enough to always trigger a fallback path. We confirmed adding a 1GiB randomly generated file to GrapheneOS would bypass the issue similarly to the stock Pixel OS but we'll be fixing the issue instead.

Tags:

• 2026062100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026061800 release:

• disable MTE for Widevine Rikers service since it's incompatible with it (issue predates Android 17)
• Sandboxed Google Play compatibility layer: avoid opening extra file descriptions to obtain Play services data prefix paths to avoid a compatibility issue with anti-tampering code used by the Kia Connect app and likely others (issue predates Android 17)
• separate GrapheneOS framework resource IDs from AOSP resource IDs to avoid incompatibilities with Pixel vendor components (issue predates Android 17)
• kernel (Pixel 10): fix for an upstream Broadcom Wi-Fi bcm4383 driver memory corruption bug to avoid invalid memory accesses caught by the kernel hardware memory tagging enabled by GrapheneOS
• disable UBLK feature flag for over-the-air updates due to it likely causing update reliability issues for devices with support for it (6.6 kernel or newer)
• disable UBLK for generated over-the-air update packages to force disable it for updates from the initial Android 17 release
• increase the maximum size of log events in production builds to match debug builds to avoid the kernel panic message and traceback being cut off
• use DevicePolicyManager.MAX_PASSWORD_LENGTH PIN length limit for the new upstream SystemUI PIN user interface for entering the PIN outside of the lockscreen to fix support for the expanded limit of 128 on GrapheneOS instead of using Android's limit of 16 (this didn't apply to passwords and it was straightforward to work around it by changing the PIN to a password)
• Settings: show night light settings even when Pixel Comfort View is enabled since we're missing the settings for it (currently only relevant to the 10th gen Pixels other than the Pixel 10a)
• allow using the new flashlight quick tile while locked (GrapheneOS requires unlocking by default for system quick tiles)
• SystemUI: avoid crashing when trying to edit a screen recording without a video editor app
• fix upstream bug causing the security scan in the Settings app to take much longer in Android 17 (also impacts the stock OS)
• fix compatibility issue breaking resetting permissions for apps with special-runtime permissions (Nearby Devices is now split to have Local Network access enabled by default for compatibility for apps not targeting Android 17 and there are bugs with how this is handled)
• Launcher: remove quick search bar from showing on large display devices since Android 17
• Launcher: remove space reserved for the quick search bar since Android 17
• add Pixel Comfort View settings for supported devices (Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold)
• add back error message for entering an incorrect 2nd factor PIN for the GrapheneOS 2-factor fingerprint unlock feature
• fix compatibility with the native zygote spawning system added by Android 17 which isn't enabled yet (this was added to provide more lightweight sandboxed renderer processes for Chromium and will benefit Vanadium even more due to having finer-grained process isolation but isn't used by Chromium/Chrome yet and our secure spawning will need to be ported to it)
• GmsCompatConfig: update to version 171

All of the Android 17 security patches from the current July 2026, August 2026, September 2026, October 2026, November 2026 and December 2026 Android Security Bulletins are included in the 2026062101 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-28591, CVE-2026-28604, CVE-2026-28639, CVE-2026-28662, CVE-2026-28666, CVE-2026-45515, CVE-2026-45531
• High: CVE-2025-22442, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-28582, CVE-2026-28584, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28622, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28630, CVE-2026-28631, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28638, CVE-2026-28643, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28664, CVE-2026-28665, CVE-2026-28667, CVE-2026-28668, CVE-2026-28671, CVE-2026-45513, CVE-2026-45514, CVE-2026-45516, CVE-2026-45517, CVE-2026-45518, CVE-2026-45519, CVE-2026-45520, CVE-2026-45521, CVE-2026-45523, CVE-2026-45524, CVE-2026-45525, CVE-2026-45527, CVE-2026-45528, CVE-2026-45529, CVE-2026-49880
• Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.

Changes in version 171:

• disable default enabled theft protection notification in Android 17
• update Gradle to 9.6.0

A full list of changes from the previous release (version 170) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Our community is helping us test the initial release of GrapheneOS based on Android 17. It's working very well for most people with very few issues. We've resolved the main regressions reported to us already. We'll start builds for a 2nd public release based on 17 later today after a few more fixes.

The most serious issue we fixed is an upstream memory corruption bug in the Broadcom Wi-Fi driver memory corruption bug for the Pixel 10, 10 Pro, 10 Pro XL and 10 Pro Fold. The invalid memory access is caught by our use of hardware memory tagging which causes a kernel panic instead of allowing it.

We already fixed this Broadcom Wi-Fi bcm4383 memory corruption bug in our 2026050900 release for the Pixel 8a, 9a and 10a. Pixel 6 through 9a share the same kernel source tree which the 10a is based on. Android 17 added the new code with this bug for real 10th gen Pixels which we missed initially.

Android 17 added a unified PIN interface to SystemUI for use outside of the lockscreen. Our PIN scrambling feature now works beyond the lockscreen too. We increase the DevicePolicyManager PIN and password length to 128 but Android's new PIN entry had it hard-wired to 16 which we've resolved now.

We add a feature making system quick tiles require unlocking by default and exclude tiles where it isn't needed which accidentally caused the new flashlight quick tile to require unlocking which is now fixed. Those are the main issues found so far other than minor UI quirks we're working on fixing

This is the initial release of GrapheneOS based on Android 17.

Due to an upstream Android 17 bug, updating to this release via ADB sideload to recovery from a previous release is unavailable. There will be no issues updating to it over-the-air and we'll provide instructions in our testing channels for early experimental testing prior to Alpha. We've added a workaround resolving updating via ADB sideload from this release to a future release. We're working on a resolution to updating via sideload from a previous release. If necessary, we could make a final release based on Android 16 QPR2 with the same workaround solely released for people who only update via sideloading.

Tags:

• 2026061800 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026061600 release:

• full 2026-06-05 Pixel security patch level (released with Android 17)
• rebased onto CP2A.260605.016 Android Open Source Project release (Android 17)
• revert in-process Opus codec sandboxed with LFI (Lightweight Fault Isolation) to dedicated sandboxed process in order to restore compatibility with hardware memory tagging and avoid likely holes in LFI
• Sandboxed Google Play compatibility layer: add stubs for BluetoothLeBroadcast methods
• Vanadium: update to version 149.0.7827.159.0

All of the Android 17 security patches from the current July 2026, August 2026, September 2026, October 2026, November 2026 and December 2026 Android Security Bulletins are included in the 2026061801 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-28591, CVE-2026-28604, CVE-2026-28639, CVE-2026-28662, CVE-2026-28666, CVE-2026-45515, CVE-2026-45531
• High: CVE-2025-22442, CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-28582, CVE-2026-28584, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28622, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28630, CVE-2026-28631, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28638, CVE-2026-28643, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28664, CVE-2026-28665, CVE-2026-28667, CVE-2026-28668, CVE-2026-28671, CVE-2026-45513, CVE-2026-45514, CVE-2026-45516, CVE-2026-45517, CVE-2026-45518, CVE-2026-45519, CVE-2026-45520, CVE-2026-45521, CVE-2026-45523, CVE-2026-45524, CVE-2026-45525, CVE-2026-45527, CVE-2026-45528, CVE-2026-45529, CVE-2026-49880
• Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.

We built an initial release of GrapheneOS based on Android 17 (2026061700) but aren't going to release it through our Alpha channel due to discovering a serious upstream bug. Android 17 broke support for sideloading updates via recovery unless the OS images are large enough to exhaust COW space.

The stock Pixel OS is drastically larger than GrapheneOS due to having a massive amount of additional bundled app code for Google Mobile Services, many other Google apps and various Pixel apps. It's always above the threshold triggering the fallback code path for sideloading OS updates in recovery.

Over-the-air updates from both older versions to Android 17 and Android 17 to Android 17 work fine. It's only sideloading impacted by this. We don't want to release an OS version with broken OS update sideloading so we've cancelled 2026061700 and are building 2026061800 with a workaround for it.

Our current workaround is to force enable the fallback code path triggered by large OS images. This will fix sideloading an Android 17 version of GrapheneOS to another Android 17 version of GrapheneOS. However, sideloading Android 17 updates to older versions won't work without a further workaround.

We've tried making a build with a randomly generated 1GiB file included to make GrapheneOS about as large as the stock Pixel OS which fully works around the issue. We're not actually going to do that but rather we'll use the workaround forcing the fallback path for now and we'll find a proper fix

Our workaround will provide working sideloading from our initial Android 17 release to a future release. However, it isn't currently possible to sideload from 16 QPR2. We could make an extra 16 QPR2 update for people who only sideload updates with the workaround to use until we make a proper fix.

Google didn't run into this because they add so much bloat to the OS for Google Mobile Services including Google Play services along with a bunch of other Google and Pixel apps. Pixel OS is a lot smaller than the OS on most Android devices but it's drastically larger than AOSP and even GrapheneOS.

GrapheneOS uses ahead-of-time compilation for Java/Kotlin code which greatly increases the size of the apps in the OS images. Despite this, it's still drastically smaller than the Pixel OS. It would be substantially larger if we bundled as much code as they do but instead it's the opposite...

Changes in version 149.0.7827.159.0:

• update to Chromium 149.0.7827.159

A full list of changes from the previous release (version 149.0.7827.114.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

This is our final release based on Android 16 QPR2/QPR3 since we've completed our initial port to Android 17 and are resolving regressions to prepare it for a public release very soon.

Tags:

• 2026061600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026060600 release:

• skip replacing pairip Play Store installer check with Play Store source stamp checks for apps installed from the Play Store
• hardened_malloc: add support for Cuttlefish build targets
• Network Location: require TLSv1.3 for Apple and Apple China location services in addition to the GrapheneOS service
• kernel (6.1): update to latest GKI LTS branch revision including update to 6.1.174
• kernel (6.6): update to latest GKI LTS branch revision
• kernel (6.12): update to latest GKI LTS branch revision
• Vanadium: update to version 149.0.7827.102.0
• Vanadium: update to version 149.0.7827.114.0
• GmsCompatConfig: update to version 170
• Speech Services: update to version 3

All of the Android 16 security patches from the current July 2026, August 2026, September 2026, October 2026, November 2026 and December 2026 Android Security Bulletins are included in the 2026061601 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-27280, CVE-2026-28590, CVE-2026-28591, CVE-2026-28604, CVE-2026-28618, CVE-2026-28639, CVE-2026-28662, CVE-2026-45515, CVE-2026-45531
• High: CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-0053, CVE-2026-0054, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0084, CVE-2026-28572, CVE-2026-28582, CVE-2026-28583, CVE-2026-28584, CVE-2026-28585, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28596, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28609, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28631, CVE-2026-28632, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28636, CVE-2026-28638, CVE-2026-28642, CVE-2026-28643, CVE-2026-28644, CVE-2026-28645, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28656, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28664, CVE-2026-28665, CVE-2026-28667, CVE-2026-28668, CVE-2026-28670, CVE-2026-28671, CVE-2026-45513, CVE-2026-45514, CVE-2026-45516, CVE-2026-45517, CVE-2026-45518, CVE-2026-45519, CVE-2026-45520, CVE-2026-45521, CVE-2026-45522, CVE-2026-45523, CVE-2026-45525, CVE-2026-45527, CVE-2026-45528, CVE-2026-45529, CVE-2026-49880
• Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.

Today is the official release day for Android 17. We've already fully ported GrapheneOS to Android 17 and are in the process of pushing the code to our public repositories. We're building a final official release based on Android 16 QPR2 today and we'll do an initial Android 17 release tomorrow.

We've already tested the Android 17 port of GrapheneOS on the Pixel 6a, 7, 7a, 8, 10a, 10 and 10 Pro Fold. It will be possible for people to start building and testing it themselves later today once we finish pushing the code. We'll start the process of public testing for official releases tomorrow.

To clarify the 2nd paragraph, we've ported GrapheneOS to Android 17 for all of the supported devices. That's a list of the devices we already built and tested it. Our initial public release will be available for all the supported devices and we'll have tested it on each by then.

Notable changes in version 3:

• sync ONNX session close with runs to avoid upstream memory corruption bugs in ONNX caught by GrapheneOS hardware memory tagging
• update Kotlin to 2.4.0
• update detekt library to 2.0.0-alpha.4
• update AndroidX Core KTX library to 1.19.0

A full list of changes from the previous release (version 2) is available through the Git commit log between the releases.

GrapheneOS Speech Services provides a built-in text-to-speech implementation for GrapheneOS using a fully open source model for English (US) meaning fully open source training code/data. In the future, it will be expanded to other languages and will also provide speech-to-text. The models built into the app included in GrapheneOS must be fully open source but it can be extended to support additional choices for models distributed through our App Store as additional packages without the same constraint.

Major improvements to performance and the quality of the output will be provided in near future releases. The output is currently slightly distorted by one of the audio processing steps which can be fully removed and replaced by training a new model without a dependency on it. The performance can also be heavily improved by removing or optimizing the audio processing followed by implementing hardware acceleration for the model.

Speech Services should be installed from our App Store which can be installed outside GrapheneOS from GitHub.

Mike Kuketz has never had any role in the GrapheneOS project. He certainly isn't a GrapheneOS developer. He uses GrapheneOS and has a widely known privacy blog and community where he has written about it. That doesn't somehow make him part of GrapheneOS.

https://x.com/CryptoCyberia/status/2065832332313919886

Kuketz hosts a German language forum about privacy at https://kuketz-forum.de/. It's hosted with the widely used open source Discourse project. It has the standard account system and metadata retention of Discourse. Many sites use Discourse and he has nothing to do with making it.

People used Discourse's data export feature to obtain their data from his forum and are upset with Kuketz about how much metadata is retained by Discourse. He didn't make the software but rather is using it so that's already a bit extreme but blaming us is absolutely ridiculous.

GrapheneOS has over 400k users. It's hard to understand why one of our users running a Discourse forum is resulting in us suddenly getting attacked across platforms. These attacks on GrapheneOS happening across platforms every single day are increasingly desperate and ridiculous.

Our forum at https://discuss.grapheneos.org/ is hosted with Flarum rather than Discourse. Neither is written in a language we would have chosen and we would have done things differently. We prefer Flarum over Discourse though and have made small changes to improve privacy and security.

Forum software needs IP addresses to protect against spammers. We use StopForumSpam's database to block spammers from registering. For privacy reasons, we download IP blocklists instead of querying their API and they made a special setup for us to get more than hourly updates.

Changes in version 149.0.7827.114.0:

• update to Chromium 149.0.7827.114
• enable upstream feature flag for faster default WebView user agent retrieval
• make the reduced default WebView user agent feature compatible with the flag for faster retrieval
• resolve Google app crash caused by an empty NetworkAnonymizationKey in a WebView-specific code path
• fix handling Sensors permission for Motion Sensors site setting
• fix handling schemes and port for Motion Sensors site setting exceptions

A full list of changes from the previous release (version 149.0.7827.102.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Changes in version 170:

• force Pixel Buds to use standalone mode designed for non-Pixel devices without built-in support for it
• add stub for TelephonyManager.getIccAuthentication() to avoid rare Play services crash
• update Android SDK to 37 (Android 17)
• update Android target SDK version to 37 (Android 17)
• update Android build tools to 37.0.0
• update Kotlin to 2.4.0
• update Kotlin Symbol Processing to 2.3.9
• update Android Gradle plugin to 9.2.1

A full list of changes from the previous release (version 169) is available through the Git commit log between the releases (only changes to the gmscompat_config text file and config-holder/ directory are part of GmsCompatConfig).

GmsCompatConfig is the text-based configuration for the GrapheneOS sandboxed Google Play compatibility layer. It provides a large portion of the compatibility shims.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 149.0.7827.102.0:

• update to Chromium 149.0.7827.102
• use default iframe process grouping while we determine which mode would be best

A full list of changes from the previous release (version 149.0.7827.59.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2026060600 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026060100 release:

• Launcher: fix upstream bug causing the recents button to become unresponsive for users with third party launchers
• replace validation of Play Store source stamps with a correct implementation (this isn't yet used for security-sensitive purposes but we plan to begin using it to replace security-relevant Play Store source checks in the near future)
• replace implementation of using Play Store source stamps as a substitute for Play Store installer checks included as part of Play Store anti-tampering protection enabled by certain apps (this prevents using the apps when combined with the Play Integrity API store lising toggles)
• Settings: correctly reset tethering offload developer setting when disabling developer options
• Settings: add one-time reset of tethering offload developer setting to re-enable it for everyone who had it disabled by the upstream Android bug when disabling developer options
• Settings: fix upstream null pointer exception bug in SettingsBasePreferenceFragment when listView is null which occurs with at least one of the developer options
• Pixel 10a: add missing SELinux policy for Pixel Camera TPU usage
• Vanadium: update to version 149.0.7827.59.0
• AppCompatConfig: update to version 5
• AppCompatConfig: update to version 6

All of the Android 16 security patches from the current July 2026, August 2026, September 2026, October 2026 and November 2026 Android Security Bulletins are included in the 2026060601 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-27280, CVE-2026-28590, CVE-2026-28591, CVE-2026-28604, CVE-2026-28618, CVE-2026-28639, CVE-2026-28662
• High: CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-0053, CVE-2026-0054, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0084, CVE-2026-28572, CVE-2026-28582, CVE-2026-28583, CVE-2026-28584, CVE-2026-28585, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28596, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28609, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28631, CVE-2026-28632, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28636, CVE-2026-28638, CVE-2026-28642, CVE-2026-28643, CVE-2026-28644, CVE-2026-28645, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28656, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28667, CVE-2026-28668, CVE-2026-28670, CVE-2026-28671
• Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.

In April, Mullvad provided sponsored DataPacket servers for GrapheneOS in Dallas and Frankfurt which each have 50Gbps peak bandwidth capacity. These now serve a large portion of the updates to GrapheneOS users and add a lot of capacity to our other services including our anycast authoritative DNS.

We also have sponsored servers from ReliableSite, Cherry Servers, Zare and Xenyth. There are a total of 8 sponsored servers where 7 are primarily update mirrors. The update mirror servers also serve our website and network services as a replacement for VPS instances for the locations we have them.

We host 2 anycast networks with our own ASN and IP space in order to self-host anycast DNS servers providing the authoritative DNS resolution for all of our services. Both IPv4 /24 blocks we use for anycast DNS were obtained for free via from ARIN via NRPM 4.10 along with the IPv6 space.

Our DNS servers use GeoDNS to direct connections to the lowest latency servers and implement automatic failover via health checks and 5 minute expiry for the DNS records. It provides a lot of redundancy for the many critical services used by GrapheneOS. We essentially run our own CDN for our users.

If one of our DNS servers goes down or fully loses connectivity, BGP routing across the internet will quickly adjust to send traffic to the other servers in the network. If a DNS resolver fails to get an answer from one of the anycast DNS networks, it will automatically fall back to the other one.

Our GeoDNS was recently massively improved via IPinfo.io sponsoring us with free access to their standard GeoIP database. They use over 1300 probes to scan the internet instead of relying on very inaccurate/incomplete WHOIS/geofeed data. We nearly always use the right server thanks to this database.

We need additional dedicated servers for updates and other services in APAC where bandwidth is more expensive (Singapore, Sydney and Tokyo). We also need another server in North America to go along with our 2nd server from Cherry Servers in Amsterdam used to provide our opt-in geocoding service.

We have enough bandwidth for updates in Europe and North America to handle quite a lot of further userbase growth. We do need additional servers for other things. Several other server providers contacted us with sponsorship offers but we mainly need several APAC servers now which is more costly.

A full list of our public-facing servers is available at https://grapheneos.org/articles/grapheneos-servers with links to repositories with the per-service configuration. The most interesting parts are BGP communities configuration for our anycast DNS networks and our email server hosted with Postfix/Dovecot/Rspamd.

Changes in version 6:

• stop explicitly marking Uber apps as compatible with Dynamic Code Loading via Storage since there are cases where it's needed (this was automatically detected by the OS prior to AppCompatConfig version 5 which wasn't moved to the Stable channel)
• update Kotlin to 2.4.0

A full list of changes from the previous release (version 5) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 5:

• disable hardened_malloc for the Uber apps by default due to buggy anti-tampering code parsing /proc/self/smaps while allocating a lot of memory and infinite looping until it runs out of memory due to creating new VMAs (also enables other per-app protections by default due to how compatibility entries work)
• extend Chrome configuration to the Beta, Canary and Dev variants
• extend Brave configuration to the Beta and Nightly variants
• use Long integer for bitwise operation to avoid a future issue
• update Android SDK to 37 (Android 17)
• update Android target SDK to 37 (Android 17)
• update Android build tools to 37.0.0
• update Protobuf Gradle plugin to 0.10.0
• update Protobuf libraries to 4.35.0
• update Android Gradle plugin to 9.2.1 and replace deprecated functionality
• update Kotlin to 2.3.20
• update Kotlin Symbol Processing plugin to 2.3.9

A full list of changes from the previous release (version 4) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release.

Changes in version 149.0.7827.59.0:

• update to Chromium 149.0.7827.59

A full list of changes from the previous release (version 149.0.7827.48.0) is available through the Git commit log between the releases.

This update is available to GrapheneOS users via our app repository and will also be bundled into the next OS release. Vanadium isn't yet officially available for users outside GrapheneOS, although we plan to do that eventually. It won't be able to provide the WebView outside GrapheneOS and will have missing hardening and other features.

Tags:

• 2026060100 (Pixel 6, Pixel 6 Pro, Pixel 6a, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel Tablet, Pixel Fold, Pixel 8, Pixel 8 Pro, Pixel 8a, Pixel 9, Pixel 9 Pro, Pixel 9 Pro XL, Pixel 9 Pro Fold, Pixel 9a, Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold, Pixel 10a, emulator, generic, other targets)

Changes since the 2026052400 release:

• full 2026-06-01 security patch level
• fix Location access indicator to always properly display when only coarse location is granted too
• kernel (Pixel): fix upstream use-after-free bug in Broadcom Wi-Fi driver caught by hardware memory tagging
• kernel (Pixel 10, Pixel 10 Pro, Pixel 10 Pro XL, Pixel 10 Pro Fold): fix upstream out-of-bounds array read caught by hardware memory tagging in the DisplayPort driver when using the XReal One Pro (AR glasses) due to the glasses implementing the DisplayPort protocol incorrectly and the kernel driver not properly handling the incorrect data
• kernel (6.1): update to latest GKI LTS branch revision
• kernel (6.6): update to latest GKI LTS branch revision
• kernel (6.12): update to latest GKI LTS branch revision including update to 6.12.89
• Speech Services: update to version 2
• Vanadium: update to version 149.0.7827.48.0
• Auditor: update to version 92

All of the Android 16 security patches from the current July 2026, August 2026, September 2026, October 2026 and November 2026 Android Security Bulletins are included in the 2026060101 security preview release. List of additional fixed CVEs:

• Critical: CVE-2026-27280, CVE-2026-28590, CVE-2026-28591, CVE-2026-28604, CVE-2026-28618, CVE-2026-28639, CVE-2026-28662
• High: CVE-2025-48564, CVE-2025-48565, CVE-2025-48566, CVE-2026-0053, CVE-2026-0054, CVE-2026-0062, CVE-2026-0063, CVE-2026-0065, CVE-2026-0084, CVE-2026-28572, CVE-2026-28582, CVE-2026-28583, CVE-2026-28584, CVE-2026-28585, CVE-2026-28588, CVE-2026-28593, CVE-2026-28594, CVE-2026-28596, CVE-2026-28599, CVE-2026-28600, CVE-2026-28602, CVE-2026-28603, CVE-2026-28606, CVE-2026-28607, CVE-2026-28609, CVE-2026-28612, CVE-2026-28613, CVE-2026-28614, CVE-2026-28617, CVE-2026-28619, CVE-2026-28620, CVE-2026-28623, CVE-2026-28624, CVE-2026-28626, CVE-2026-28631, CVE-2026-28632, CVE-2026-28633, CVE-2026-28634, CVE-2026-28635, CVE-2026-28636, CVE-2026-28638, CVE-2026-28642, CVE-2026-28643, CVE-2026-28644, CVE-2026-28645, CVE-2026-28650, CVE-2026-28652, CVE-2026-28655, CVE-2026-28656, CVE-2026-28657, CVE-2026-28658, CVE-2026-28660, CVE-2026-28663, CVE-2026-28667, CVE-2026-28668, CVE-2026-28670, CVE-2026-28671
• Unclassified: CVE-2026-28653

For detailed information on security preview releases, see our post about it.

June 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It's being widely misreported in tech media as a 0-day vulnerability being exploited. That's a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches.

Google disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 release. We noted it was already publicly fixed so it was added to our regular releases too in 2025100300.

We quickly shipped the patch after it was disclosed to OEMs by Google but we plan to do better in the future. SQLite 3.44.5 was released with this backport on 2025-07-24. We weren't previously aware SQLite maintained upstream LTS branches for Android but our plan is to closely follow those now.

In this case, Google slipped up and took 2 months to add the patch to the security preview releases. We plan to avoid that in the future by handling this ourselves because this happens too often. It's also a nice example of how Android Security Bulletins are set extremely low expectations for OEMs.

GrapheneOS quickly ships all security preview patches. Every AOSP patch included in the Android Security Bulletins was already available in GrapheneOS for over a month. We end up shipping patches 2-3 months earlier. Google having such low expectations for OEMs and even themselves is ridiculous.

Android's security patch system doesn't make any sense and is completely at odds with how quickly people can discover and exploit vulnerabilities with the help of LLMs. The security preview release system would be far more reasonable if the embargo for sources and details was no more than 48 hours.

Google's embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.